SYNCHOST.EXE ; Trojan Or Not ?

Discussion in 'malware problems & news' started by Kas, Apr 2, 2009.

Thread Status:
Not open for further replies.
  1. Kas

    Kas Registered Member

    Joined:
    Sep 29, 2008
    Posts:
    147
    Location:
    Bedfordshire - Rip-Off Britain
    There is a thread on this ;-
    Randy Bell, 23 Nov.2002 No.1 - no replies
    This gives a full explanation of SYNCHOST.EXE by Symantec Security
    =====
    All the Internet and the above post list SYNCHOST.EXE as being registered as Ripjac virus\r, a Trojan virus that is malicious and causes a breach of privacy by searching and sending out personal information including banking details, passwords etc. The message given is very clear ; REMOVE IT IMMEDIATELY.

    Exactly how to detect all the infected files and records, together with their removal involves registry deletions, needing back-up. It does not seem an easy matter.

    It is stated that none of the regular virus and malware products pick up this virus.

    My system shows SYNCHOST.EXE is active. At the time of writing this post, there are FIVE SYNCHOST.EXE showing on the running process list.

    All are down as Company = Microsoft Corporation except one which = Crawler.com. All are User name = NT/Authority/System.
    One sub-divides into iexplore.exe and CToolbar.exe.

    I have AVG 8.0, COMODO IS, Spybot, Spyware Terminator, Spywareblaster, Malwarebytes, CCleaner and Vundofix, plus of course the inbuilt Microsoft/Windows security packs which handle malicious intrusions. NONE of these pick up SYNCHOST.EXE or any of it`s derivatives as a threat.

    This is most confusing, these processes look genuine enough, yet everybody is saying that SYNCHOST.EXE is a Ripjac virus, highly dangerous and should be deleted immediately.

    I must confess, whilst the consensus of opinion is overwhelming, I just cannot bring myself to believe that these SYNCHOST.EXE processes are rogues. I have never had any reason to suspect that my privacy is being breached and there ARE some contradictions on the Internet when you do enough looking.

    Can I please ask what the Forum experts think about this and IF it is a genuine threat, how can it be removed without wrecking the system operational flow ?
    KAS
     
  2. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    Despite being a 6 year old thread, it just might be the ripjack trojan.
    I found another forum with a report of the same process.

    I would be curious what a Prevx CSI scan would bring.
    Or do an online scan from your choice of vendor..Kaspersky, Panda etc.
     
    Last edited: Apr 2, 2009
  3. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,924
    Location:
    U.S.A.
    Kas, according to Symantec, the maker of Norton, the Backdoor.Ripjac risk level is Very Low, perhaps because it's an old infection dating back to 2002. It's not unusual for today's software to concentrate on present dangers, instead of looking back, thus your software's inability to find the culprit.

    As the Tester indicated, online scanners like Kaspersky, ESET, F-Secure, Panda Security and others could be helpful in eradicating Ripjac.

    Before you do that, I would download McAfee Stinger v.10.0.0.482, a free, standalone utility and run a scan. Stinger was very good on old viruses and it's worth a try. If it does not work, use any of the above online scanners. Keep us posted.
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    It is SYNCHOST.EXE or svchost.exe?

    Pls make sure.
     
  5. Kas

    Kas Registered Member

    Joined:
    Sep 29, 2008
    Posts:
    147
    Location:
    Bedfordshire - Rip-Off Britain
    Hello Aigle, VERY WELL DONE ! No pulling the wool over your eyes.

    Have you ever heard of the word "illusion" ?
    Definition = something that is not really what it seems to be.

    Well, I looked again at MY process list and by golly it is SVCHOST.EXE which pops up all over the place. My eyes initially saw SYNCHOST.EXE !!
    YES, the lady DID really get sawed in half and walked away in two pieces.

    The net contents all refer to SYNCHOST.EXE as being the RipJac virus.

    I seem to have made a visual bloomer, but am really pleased that MY processes are SVC and not SYNC. In small print the V looks like a Y. The rest is an illusion.

    I suppose technically my thread is still valid since it deals with SYNCHOST.EXE being a virus, something which is not exactly undisputed on the net, but if I had not been visually misguided, I would not have raised it.

    Thanks for spotting it. You don`t wear those huge thick lenses do you ?

    As you are so eagle-eyed at seeing small differences - could you please see if you can find my bank interest credit if I send you my statement. It must be there somewhere but I cannot find it.
    KAS
     
  6. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,924
    Location:
    U.S.A.
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hmmm. Glad to know that it is solved.

    Thanks. I sometimes wear glasses but not huge. :) But let me assure u it,s just a common happening.
     
  8. Kas

    Kas Registered Member

    Joined:
    Sep 29, 2008
    Posts:
    147
    Location:
    Bedfordshire - Rip-Off Britain
    Hi Aigle my optical consultant,

    I apologise to all Wilders Wizards for wasting their time due to my illusion between SYNCH and SVCH. Well these things do happen. What about all those Masters Degree with Honors super-brained fighter pilots who swear on oath that they have been chased by Flying Saucers ?

    I suppose a good example of illusion is this ;-

    Quasimodo being chased by a crowd of kids and yelling -
    'Bugger off, I have`nt got your football'
    KAS
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hmm.... nothing so big. That,s OK.
     
Loading...
Thread Status:
Not open for further replies.